On Jun 3, 2011, at 4:23 PM, Uma Chunduri wrote: > True, privacy through SSH is overkill but strong AUTH is *critical*, I feel: > - TCP-MD5 should not be considered (as it is any ways deprecated and it's > MD5)
What specifically do you mean by "should not be considered"? > - TCP-AO has only slight advantage as it has less overhead than ipsec-AH > even when > deployed with manual keys > - but it's better if it is "MUST support authentication of nodes with > TCP-AO or ipsec-AH" because The drawback of saying "MUST support A or B" is that two implementations may be formally compliant yet not interoperable. That would obviously be undesirable (to say the least). IMO the spec should pick one mandatory one while leaving open the option to support others. --John _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
